Re: [Snort-sigs] Snort down

[James Lay <jlay () slave-tothe-box net>]

Ya good call...Waldo is on the right track.
James
On Wed, 2016-06-15 at 08:38 -0400, wkitty42 () windstream net wrote:
> On 06/15/2016 04:47 AM, ARUN LAL wrote:
> > =====================
> > ERROR: /etc/snort/rules/snort.rules(6053) threshold (in rule):
> > could not
> > create threshold - only one per sig_id=2014141.
> > =====================
> > After uncommenting the rule in snort.rule the snort service is
> > running fine.
> >
> >             *Why it happens always?? Can some explain it to me?*
> it appears that that rule has in-rule thresholding
> (detection_filter:track 
> by_src, count 10, seconds 60;) and you are trying to threshold it
> again in 
> threshold.conf?? you cannot threshold already thresholded rules... if
> you want 
> to threshold it in threshold.conf, you have to remove the
> thresholding from the 
> rule itself...
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports. http://pubads.g.doubleclick.net/gampad/clk?id=1444514421&iu=/41014381

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!